[30636] in Kerberos
Re: mod_auth_kerb: gss_accept_sec_context() failed
daemon@ATHENA.MIT.EDU (Andrew Cobaugh)
Fri Jan 16 15:50:05 2009
Message-ID: <1b8d56200901161249q19a90e9ne7dd28c1552a8984@mail.gmail.com>
Date: Fri, 16 Jan 2009 15:49:12 -0500
From: "Andrew Cobaugh" <phalenor@gmail.com>
To: "=?ISO-8859-1?Q?Michael_Str=F6der?=" <michael@stroeder.com>
In-Reply-To: <2g5746-jue.ln1@nb2.stroeder.com>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Fri, Jan 16, 2009 at 2:58 PM, Michael Ströder <michael@stroeder.com> wrote:
> HI!
>
> I'm trying to test mod_auth_kerb-5.4 built with MIT libs 1.6.3 for
> SPNEGO/Kerberos working with MS AD W2K3SP1. My ultimate goal is to
> receive a forwardable ticket (env var KRB5CCNAME) and use that for LDAP
> SASL/GSSAPI bind to AD. The service account in AD is AFAICS properly
> initialized.
>
> The web browser is Seamonkey and it already sends the
> Authorization: Negotiate YIIE0AYGKwYBBQ[..]
> in the HTTP request.
>
> But it does not work. I don't get authorized HTTP access.
> In Apache's error_log I find:
> gss_accept_sec_context() failed: Unspecified GSS failure. Minor
> code may provide more information (, Decrypt integrity check failed)
Are you sure that the keytab specified by Krb5Keytab is consistent
with the HTTP service principal that is in AD? That message is the
same as saying "your password is wrong."
Also, if you're going to use mod_auth_kerb to do GSS, you'll need a
patch so that mod_auth_kerb sets up the GSS environment correclty, so
that your application will use the correct KRB5CCNAME:
http://users.bx.psu.edu/~phalenor/code/mod_auth_kerb-5.4-set_gss_ccache_name.patch
--andy
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
